Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Date Rubygem Title CVE
2015-12-09 mail SMTP command injection 2015-9097
2015-11-23 passenger Phusion Passenger Server allows to overwrite headers in some cases 2015-7519
2015-11-17 mustache-js-rails mustache.js - quoteless attributes in templates can lead to XSS
2015-10-24 mapbox-rails mapbox-rails Content Injection via TileJSON attribute
2015-09-20 gollum gollum Upload File Functionality Permits Arbitrary File Access 2015-7314
2015-09-17 devise-two-factor devise-two-factor 1.1.0 and earlier vulnerable to replay attacks 2015-7225
2015-08-24 handlebars-source handlebars.js - quoteless attributes in templates can lead to XSS
2015-07-28 spree Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure
2015-07-21 uglifier uglifier incorrectly handles non-boolean comparisons during minification
2015-07-20 spree Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure
2015-07-17 sidekiq-pro Sidekiq Pro Gem for Ruby CSRF in Job Filtering
2015-07-13 rack-cors rack-cors Gem Missing Anchor permits unauthorized CORS requests 2017-11173
2015-07-06 sidekiq Sidekiq Gem for Ruby Multiple Unspecified CSRF
2015-06-30 ruby-saml Ruby-Saml Gem is vulnerable to entity expansion attacks
2015-06-22 redcarpet redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow 2015-5147
2015-06-16 activesupport Possible Denial of Service attack in Active Support 2015-3227
2015-06-16 spina Cross-site request forgery (CSRF) vulnerability in Spina gem 2015-4619
2015-06-16 activesupport XSS Vulnerability in ActiveSupport::JSON.encode 2015-3226
2015-06-16 jquery-ujs CSRF Vulnerability in jquery-ujs 2015-1840
2015-06-16 web-console IP whitelist bypass in Web Console 2015-3224
2015-06-16 jquery-rails CSRF Vulnerability in jquery-rails 2015-1840
2015-06-16 rack Potential Denial of Service Vulnerability in Rack 2015-3225
2015-06-08 rubygems-update RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking 2015-4020
2015-06-05 paperclip Paperclip Gem for Ruby vulnerable to content type spoofing 2015-2963
2015-06-04 bson Data Injection Vulnerability in bson Rubygem 2015-4412
2015-06-04 moped Data Injection Vulnerability in moped Rubygem 2015-4410
2015-06-04 sidekiq Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element Reflected XSS
2015-05-25 omniauth CSRF vulnerability in OmniAuth's request phase 2015-9284
2015-05-14 rubygems-update RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking 2015-3900
2015-05-11 sidekiq-pro Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements Reflected XSS